Chapter 4. Viruses and Other Wildlife

The word virus has become a generic term describing a number of different types of attacks on computers using malicious code. Just about everybody has heard of computer viruses, worms, Trojan horses, and other malicious software. Many have been infected at least once, either by one of the famous attacks such as Melissa, ExploreZip, MiniZip, Code Red, NIMDA, BubbleBoy, I LoveYou, NewLove, KillerResume, Kournikova, NakedWife, or Klez; or perhaps by a lowly pest picked up in an email or through visiting some web site. A virus or worm could even be active in your machine right now, lying dormant until some trigger activates it. And in today’s world, the line is blurred between viruses and marketing tools, such as pop-ups, adware, or spyware, each of which uses a certain amount of the computer’s resources to display or gather data about the user.

Financial Effects of Malicious Programs

Although estimates vary widely, it is a safe bet that billions of dollars worth of damage have been done over the two decades since malicious code hit the big time. While some of this harm has been due to destruction of data and even damage to hardware, the bulk of the loss is likely lost time.

Spending time recovering from a virus steals opportunity in a few ways:

  • The time and effort it takes to takes to root out the virus and repair the damage.

  • The diversion of time and effort from what may have been revenue production.

  • The out and out loss of computer hardware (rare these days) or documents, files, and applications that either cannot be recovered, or for which the time and expense of recovery can’t be justified.

Putting an actual dollar value on the loss due to viruses requires a lot of guesswork. This is because one affected machine may be used mainly for trivial pursuits and can be easily repaired by simply reloading the machine with fresh copies of applications and any available data, while another may contain the details of an elaborate business deal, your contact book, your masters’ thesis, or digital pictures of your loved ones, which must be carefully located, scanned for infections, and copied onto the machine after replacing or repairing any infected files.

Thus the hard number of actual dollar losses due to malware activity is obscured by emotional losses. Just because the actual amount of damage is fuzzy, however, does not degrade the importance of malicious software.

Viruses and Public Health

A primary reason today to care about malicious code, such as viruses and worms, is the same reason it is important to keep one’s vaccination records up to date while traveling. You would not want to become a carrier of some awful disease. Most malicious code today is concerned not only with trashing your machine, but also in using your machine to infect others.

A classic example is the software used to create a DDoS attack. After hiding itself in your computer, modern malware typically seeks information from you to use to infect others, and it usually finds it in your address book or by prowling your local area network. The malware then stalks its new victims, often by sending an email in your name and infects them as well. This is akin to the way a virus may propagate itself in a living organism, and it may be a separate operation from executing the payload—performing the dirty work of the virus—which follows.

Upon command, your machine and all of those you have inadvertently helped infect may then zero in on some target (such as the White House, or a critical server that helps make the Internet function) with tens of thousands of commands and requests coming from all directions. This brings the target to its knees, accomplishing the attacker’s goal. To avoid this, every machine must be a healthy one, so that it does not unwittingly infect its neighbor, which may be you.

Viruses, Worms, and Trojans (Oh, My!)

While historically important, the classification of malicious code into categories such as “virus” or “worm” is today somewhat quaint. Attackers who want to harm your system will get there any way they can and whipping up a software half-breed that blurs definitions would be the least of their worries.

For this reason, modern attack tools tend to be labeled by their function more than their genealogy. Hence there are rootkits, Trojan horses, exploits, password sniffers, and zombies, more than there are viruses and worms. Although we will briefly explore the historic roots and definitions of such malicious programming in a moment, in this book we shall call all such programs malicious code, or for short, malware. And to keep in sync with the general public, we will use the term virus as its synonym.

Knowing a little bit about germs may help you prevent the spread of disease. Similarly, knowing something about malicious code may help prevent the spread of its effects. Most viruses and worms tend to be upgrades or variations of others seen before. For this reason we will review the historic terms and how they came to be, before returning to the present to fight viruses in the here and now.

Viruses

A virus is a code fragment that copies itself into a larger program, modifying that program. Unlike a worm, described in the next section, a virus is not an independent program but depends upon a host program, which it infects. A virus executes only when its host program begins to run. The virus then replicates itself, infecting other programs as it reproduces. After seeing to its own reproduction, it then does whatever dirty work it carries in its programming, or payload. There may not be a payload, or it might shoot blanks. Several powerful viruses have been uncovered that can spread at an alarming rate, but that don’t really do much. Not to say they couldn’t, of course, but their programmer chose to make them weak, or in some cases made a programming error that caused the payload portion to misfire. Nevertheless, every packet that traverses a network means that another packet has to wait its turn. Even if a virus is nothing more than a clever prank, sort of like graffiti on the computerscape, it still has negative impact. And because it is a rogue program turned loose within your computer, it is definitely an intrusion. It has gotten past your defenses, and has demonstrated that you are vulnerable until you take defensive measures.

While viruses generally see to their reproductive needs before their destructive ones, not all viruses launch at the first opportunity. A virus might start reproducing right away, or it might lie dormant for some time, until it’s triggered by a particular event. For example, a particular triggering date may arrive (as with the infamous Friday the 13th virus), or a particular event may occur (for example, deleting a particular person’s name from a payroll file, perhaps indicating that he’s been fired). See the section on "Bombs" later in this chapter for more information about triggers.

Different pathogens may infect different parts to the body, and it is the same for viruses. A virus may infect memory, a floppy disk, a hard drive, a backup tape, or any other type of storage. Like a biological virus, a computer virus invades other organisms, causing those organisms to proliferate and spread the virus. It degrades system performance in addition to whatever other damage (e.g., data deletion) it does. At one time, viruses passed themselves about by hanging around in memory and jumping onto each new floppy disk that was inserted. Today, viruses (and worms too) can spread via a local area network, the Internet, or through the use of infected software on diskettes, recordable CDs, MP3 files, as email attachments, or in any situation in which computers lower their guard and trust each other.

While it is conceivable to catch a virus from electronic gathering places such as electronic bulletin boards or newsgroups, or via email or instant messaging software, viruses also can move about as macros, such as those written in the scripting language used to automate keystrokes in office programs such as Microsoft Word or Excel. As we shall see in Chapter 6, infected ActiveX files from the Web, or even Java code, can also be a source of infection.

Until recently, it was necessary for the user to activate a virus by running a corrupted program, such as opening an attachment to an email. Several email reader programs today have the ability to launch attached software automatically, such as music files or graphics. Attackers have figured out how to program malware into such files. As a result, when the user opens the email, the code executes.

Viruses and worms are often confused with each other. During a 1988 outbreak on the Internet, there was much debate about whether the invader was a virus or a worm. Even though we will discuss worms in a moment, in truth, the difference is somewhat academic. Both viruses and worms can deliver a payload, and because it takes processor time to open and activate them, either can result in system and network slowdowns.

Both viruses and worms can protect themselves by hiding in their host programs, by operating in delayed fashion, or by changing their physical characteristics to avoid detection. Sometimes, as is the case with rootkits, they also attempt to destroy the evidence of their wrongdoing. All this may hinder attempts to control and eradicate the offending code. And again, as is the case with a logic bomb that waits until a particular time or event to fire, some malware just entrenches itself and then lays low until called for by its master. A computer thus infected is often called a zombie.

Stealthy attackers create and collect zombies by running programming scripts that probe for vulnerable computers, using various attacks to corrupt them, and then at a time of their choosing, call them into play for their own purposes. This practice is so highly automated that many researches report that an unguarded computer on the Internet is likely to become infected in this manner within a few minutes or hours. And yes, some zombies include code that will erase their malware after execution, making them difficult for experts to trace. Of course, the computer owners are usually completely oblivious to this activity.

The history of viruses

According to computer consultant and columnist Rob Rosenberger, the roots of the modern computer virus go back to 1949. This was when computer pioneer John von Neumann presented a paper on the “Theory and Organization of Complicated Automata,” in which he postulated that a computer program could reproduce.

Bell Labs employees gave life to von Neumann’s theory in the 1950s in a game they called “Core Wars.” In this game, two programmers would unleash software “organisms” and watch as they vied for control of the computer. Core Wars was described in three issues of Scientific American in 1983 and 1984. According to some pundits, the code snippets used to illustrate the concepts of this useful game may have provided the first roadmaps to taking viruses out of the arena and into the wild.

This is echoed in science fiction of the day. Gene Spafford of Purdue[14] credits David Gerrold with being the first to use the word “virus” as a computer attack in Gerrold’s science fiction stories about the G.O.D. machine.[15] Spafford describes the origins of the virus:

A subplot in that book described a program named VIRUS created by an unethical scientist. A computer infected with VIRUS would randomly dial the phone until it found another computer. It would then break into that system and infect it with a copy of VIRUS. This program would infiltrate the system software and slow the system down so much that it became unusable (except to infect other machines). The inventor had plans to sell a program named VACCINE that could cure VIRUS and prevent infection, but disaster occurred when noise on a phone line caused VIRUS to mutate so VACCINE ceased to be effective.

In 1984, Ken Thompson described the development of what can be considered the first practical computer virus (though he didn’t give it that name). Thompson wrote a self-reproducing program in the C programming language. He modified the program to “learn” new syntax and then planted a Trojan horse (described later) that deliberately miscompiled the Unix login command, enabling him to log into the system as any user. Next, he added a second Trojan horse aimed at the C compiler. After compiling the modified source with the normal C compiler to produce a bugged binary, he installed this binary as the official C, and removed the bugs from the source of the compiler. Then, whenever the new source of the compiler was compiled, the new binary reinserted the bugs. The login command remained bugged, with no trace in the source.[16]

A number of people developed computer viruses on IBM PC and Apple II computers (though they were not called viruses) during the early 1980s. (According to Spafford, “Festering Hate” and “Cyberaids” were among the infections.)

Fred Cohen from the University of Southern California was the first to define formally the term “computer virus.” (The term was suggested by Cohen’s advisor, Len Adleman, after Cohen developed an experimental program for a security seminar.) According to Cohen, a computer virus is:

...a program that can “infect” other programs by modifying them to include a possibly evolved copy of itself. With the infection property, a virus can spread throughout a computer system or network using the authorizations of every user using it to infect their programs. Every program that gets infected may also act as a virus and thus the infection grows[17].

In his experiments, Cohen showed how quickly a virus could propagate throughout an entire operating system.

Hundreds of thousands of viruses now inhabit computer systems—particular in uncontrolled PC environments. Precise calculation is impossible because a generally agreed upon taxonomy of virus types has never come about. Formerly, viruses were often named for the place where they are first discovered (e.g., the Bulgarian Factory of viruses), or for some message displayed by the virus (e.g., the AIDS virus). Examples of early PC viruses include the Brain virus, the Fu Manchu virus, the Icelandic virus, and the Bouncing Ball virus. More recently, as competing teams of virus hunters have tried to eliminate duplication of effort, the names make reference to some distinctive feature in the code of the virus. Examples include SoBig, Code Red, and NIMDA. Even so they don’t always get it right, hence several popular viruses are known by more than one name.[18]

Worms

A worm is an independent program that reproduces by copying itself in full-blown fashion from one computer to another, usually over a network. Like a virus, a worm compounds the damage it does by spreading rapidly from one site to another. Unlike a virus, which attaches itself to a host program, a worm keeps its independence; it usually doesn’t modify other programs. Like a virus, however, a worm can include malicious instructions that cause damage or annoyance, in addition to whatever inconvenience it causes by tying up the resources of the network as it maintains and reproduces itself.

The notion of a worm as a computer intruder apparently dates from John Brunner’s 1975 science fiction novel, The Shockwave Rider. In Brunner’s book, programs called “tapeworms” lived inside computers, spread from machine to machine, and were “indefinitely self-perpetuating so long as the net exists.”[19]

Around 1980, John Schoch and Jon Hupp, researchers at Xerox Palo Alto Research Center, developed the first experimental worm programs as a research tool.[20] The worms were designed to spread from one computer to another. Shoch and Hupp described their worms as follows:

A worm is simply a computation which lives on one or more machines . . . The programs on individual computers are described as the segments of a worm . . . The segments in a worm remain in communication with each other; should one segment fail, the remaining pieces must find another free machine, initialize it, and add it to the worm. As segments (machines) join and then leave the computation, the worm itself seems to move through the network.

The Xerox PARC worms were, on the whole, useful creatures; they handled mail, ran distributed diagnostics, and performed other distributed functions. A few errant, experimental worms did get out of control, however, before a “worm watcher” was added to the network.

Trojan Horses

A Trojan horse is a code fragment that hides inside a program and performs a disguised function. In classical mythology, a Trojan horse was a large hollow horse made of wood by Odysseus during the Trojan War. The Greeks hid soldiers inside the horse and left it at the gates of Troy. After the Trojans were persuaded to bring the horse inside the gates, the hidden soldiers opened the doors for the rest of the army, which attacked the city and won the war.

In the modern computer world, a Trojan horse hides in an independent program that performs a useful or appealing function—or appears to perform that function. Along with the apparent function, however, the program performs some other unauthorized operation. A typical Trojan horse tricks a user into running a program, often an attractive or helpful one. When the unsuspecting user runs the program, it does indeed perform the expected function. But its real purpose is often to penetrate the defenses of the system by usurping the user’s legitimate privileges and thus obtaining information that the penetrator isn’t authorized to access. An example of this would be the modern rootkit, which is a script that controls a small suite of programs that create an administrative level account on the targeted system, and then create a backdoor, an unmonitored entrance way that evades the security mechanisms, through which the attacker can later gain convenient access. Trojan horses are often hidden in programs that entice users by displaying information about new system features or by hiding in downloadable applications or games.

Many web site operators today insert Trojan horses that create content that pops up on your screen while you are doing other functions. While the marketers may claim they are merely displaying additional advertisements that may be in sync with what you were currently browsing, what they are actually doing is monitoring your actions, and then sending out codes over your network that pull in content you did not request, and then put it in front of you. For this service they charge the content owner a fee.

Dan Edwards of NSA is credited as being the first to use the term “Trojan horse[21] in the context of malicious software. One classic Trojan horse attack was described by Dennis M. Ritchie.[22] An attacker wrote a “password grabber” program that simulated the normal login process and ran it on the victim’s computer. When an unsuspecting user saw the login: prompt and attempted to log in, the program captured her username and password and transmitted to whomever was doing the spying. The Trojan then prompted the victim to reenter the username or password, claiming there had been an error, and then shut itself off. The user then ran through the normal login sequence in the ordinary way, but perhaps resolving to take more care in typing. One unpublicized defense against such an attack may have been to enter a curt two-word epithet as the first logon attempt, and then to log in normally on the second try.

Some Trojan horses do not actively interact with the user, but instead simply monitor keystrokes on the keyboard. This technique can seize passwords more readily with less risk of detection. Other versions of this ploy snatch the users’ name, credit card numbers, and expiration dates for transmission to a storage facility. The numbers are later tested by placing a small order. If the numbers prove valid, they are sold to unscrupulous customers.

A clever Trojan horse will leave no trace of its presence, may reside indefinitely in unsuspecting software, and may even be programmed to self-destruct before it can be detected.

Bombs

Not all malware goes to work immediately. Attacking code can be stealthier if it just lays low for awhile, often using an assumed filename or a filename that is very close to a legitimate system file. Later, the attack can be launched when it is not expected. Sometimes this approach is called a bomb. A bomb is a type of Trojan horse, used to release a virus, a worm, or some other system attack. It’s either an independent program or a piece of code that’s been planted by a system developer or a programmer. A bomb works by triggering some kind of unauthorized action when a particular date, time, or condition occurs.

Technically, there are two types of bombs: time and logic. A bomb that’s set to go off on a particular date or after some period of time has elapsed is called a time bomb. The Friday the 13th Virus, which started doing damage on the first Friday the 13th in 1988, is an example of a time bomb. A bomb that’s set to go off when a particular event occurs is called a logic bomb. Software developers have been known to explode logic bombs at key moments after installation—for example, if the customer fails to pay a bill or tries to perform an illicit copy.

A.K. Dewdney described a logic bomb in the French spy novel by Thierry Breton and Denis Beneich, Softwar: La Guerre Douce: [23]

...they spin a chilling yarn about the purchase by the Soviet Union of an American supercomputer. Instead of blocking the sale, American authorities, displaying studied reluctance, agree to the transaction. The computer has been secretly programmed with a “software bomb.” Ostensibly bought to help with weather forecasting over the vast territory of the Soviet Union, the machine, or rather its software, contains a hidden trigger; as soon as the U.S. National Weather Service reports a certain temperature at St. Thomas in the Virgin Islands, the program proceeds to subvert and destroy every piece of software it can find in the Soviet network.

Trap Doors

A trap door, or a back door, is a mechanism that’s built into a system by its designer. The function of a trap door is to give the designer a way to sneak back into the system, circumventing normal system protection. Unlike a logic bomb, which usually explodes in someone else’s system, a trap door gives the original designer a secret route into the software.

Sometimes, programmers leave trap doors (entry points) in a program to allow them to test the program, or monitor its operation, without having to follow what may be cumbersome access rules or security measures. These trap doors also provide a way to get into the program in case there’s a problem with the access routines. Although such trap doors are ordinarily removed before the program is shipped to the customer, sometimes they’re left in the code by accident or by design.

A trap door is typically activated by the person who planted it. Usually, the means of access is not apparent—for example, an unlikely set of keystrokes or sequence of events, or a particular login. Once the developer gets in through the trap door, he may get special program privileges. In the 1983 movie, War Games, the hero gained access to a NORAD computer system by inadvertently entering a trap door planted by its creator (allowing him to log in without an authorized account), setting off a global thermonuclear war game that became all too real.

Another common example of a trap door, although harmless, is the Easter egg. This is hidden code that can only be actuated by an unlikely set of keystrokes, often while doing a specific task. Typically the egg is a set of credits for the unsung authors of the code who have toiled for months or years in anonymity, and feel they deserve at least a mention. Other times, complete games, MIDI tunes, and photo arcades have been included as a little hidden treasure. Various web sites list current Easter eggs as they are discovered and reported.

Spoofs and Masquerades

A masquerade is a generic name for a program that tricks an unsuspecting user into giving away privileges. Often, the ruse is perpetrated by a Trojan horse mechanism in which an authorized user is tricked into inadvertently running an unauthorized program. (The Trojan horse login described earlier is an example of such an attack.) The program then takes on the privileges of the user and may run amuck!

A spoof, on the other hand, is an important technique used for misdirection and concealment. Sometimes, a communication that the sender wishes to transmit anonymously is tagged with a false return address. Spoofing return addresses in this way is one of the techniques used to create unsolicited junk email advertisements (spam) with no way to track down the offending sender.

Who Writes Viruses?

In the early days, most virus-like programs were written by geniuses, mainly computer scientists at major corporations and labs, who were still exploring the theoretical limits of computing. The question “What do computers do?” had not been answered. Attempts at producing independent, self-replicating program elements were a valid inquiry into the question of how computers should be used and organized. Nothing was easy about programming in these pioneering days. Assembly language, often considered today the most arcane of the programming arts, was still a bit of a dream. So, by and large, the early experimenters with viral technology, operating before the metaphor was even coined, were the giants.

In today’s world, you buy a computer; you plug it in, or have the kid who sold it to you come out and do so; you connect it to the Internet via a broadband connection; and you are flying. For many, it is an entertainment and communications tool, on which to write the occasional letter, using self-correcting, autoformatting, and grammar-checking office software. The computer has become as far removed from its early users as has the automobile from most of its drivers. True, most mechanics and automotive engineers drive to work, and some shade tree mechanics tinker in the innards, and a few actually make improvements. Most, however, decide on their choice of colors, and whether or not they want chrome rims or white sidewalls for their wheels. Customization has replaced engineering, and in many cases, disposal has replaced repair.

It is in this environment that the new breed of virus writer has emerged. The computer is no longer an awe-inspiring oracle in a glass enclosed tabernacle, into which only the chosen may enter. Today the computer, in the United States at least, is ubiquitous. Almost as many homes have computers as subscribe to newspapers and magazines. And as the entertainment value of the Internet increases, that number may begin to approach the market penetration of the telephone and television, which in the early 1990s was already present in slightly more homes than the number having indoor plumbing. There are so many computers in use today that states such as California have adopted laws concerning their disposal, so that old PCs don’t clog landfills.

In this computer-saturated society, the mystique of the box is replaced by the aura of that to which it connects. The Internet is the new hang-out, and to hang there in style requires you to make your mark. Joyriding and hacking, defacing web sites and tagging walls with spray paint, setting fires in dumpsters, and unleashing viruses, all are manifestations of a similar juvenile, typically angst permeating affluent nations. The difference is that the street tough guy skins his knuckles, and the script kiddie, which is the pejorative applied to wannabes on the Internet, grows pale and soon needs glasses.

The script kiddie does not usually write viruses: that would take programming skill. Instead, he (or she, though most crackers arrested are male) obtains canned code strings, called scripts, and runs them against targeted machines. In time, this attacker may develop some skill at evading network protection mechanisms, such as firewalls, and be attuned enough to stay ahead of virus protection systems. When all is said and done, however, a few really bright individuals discover flaws in common software, and write exploits against the flaws. Script kiddies hang on these deities for any scripts they may hand down to their adoring followers, who execute them.

The great mass of computer users have unprotected home machines plugged into broadband outlets without any strategy or tools for protection (firewalls and virus-scanning software are discussed later in this chapter). This low hanging fruit is easily sensed and attacked by the scripts, and, before long, the script kiddie has a sufficient herd of zombies that she can launch a DoS attack against someone she doesn’t like or maybe shut down a municipal web site.

If he does not have access to a bright mentor, the script kiddie can download scripts from a cracker web site, likely one that is hard to read, with lots of dirty words, and sprinkled with 1337-script (pronounced “elite”—with certain letters replaced by similar looking letters, 1 for l, 3 for E, 7 for t). Fortunately, something happens to most of these: they grow up and some of them actually find work in the information technology industry.

Then there are the bright, criminally-minded ones who don’t leave their hacking days behind and who become cyber thieves, spies, anarchists, and terrorists. Skillfully manipulated, lots of zombied computers could cause a lot of trouble. One Polish organization claims it can push spam with impunity regardless of changes in the law, simply by activating a few of its 500,000 zombies. A half-million machines throwing out millions of emails a day can be an inconvenience to a lot of people, but the real question may be “What else could they do?”

Any worthwhile technique learned by phone phreakers (those who attempt to outwit the public telephone network by synthesizing its control mechanisms so as to avoid charges) is likely in the hands of various militaries, as are the best work of the crackers. Electronic countermeasures going well beyond mere listening (ELINT) are likely practiced daily, using say, cell phones or phone emulators to access PBXs, which then are used to access—who knows?

Why bother considering electronic high jinks as a form of attack? Perhaps armies do not travel on their cell phones, but economies do. Economic pressure will eventually force a convergence of the myriad of proprietary protocols controlling the devices on factory floors, the SCADA systems controlling dams and waterways, the remote well heads in petroleum exploration, and the power grids supplying the homes and industrial facilities of a nation. Already, convergence is occurring between the Internet and the telephone network, as in Voice over Internet Protocol (VoIP), and some wireless providers have gone full circle, using wireless to transmit IP, on which voice is encoded.

Economic pressure will also force a centralization of control, with one center monitoring several plants rather than each installation being under local control. At that point, when one protocol dominates one network, the third class of virus maker will have their swing, either robbing from us, or extorting us, or simply turning key systems off as a cover for a bigger move. For all we know, World War III might begin with a loss of dial tone, and a string of “Error 404, site not found.” That will be the day to be truly fearful of viruses.

Remedies

There are many programs that can help you keep viruses and other wildlife away from your system—and can wipe out the critters if they gain access. Known as virus protection programs, these programs are available from both commercial and public domain sources. These products, and the system administration procedures that go along with them, have two overlapping goals: they don’t let you run a program that’s infected, and they keep infected programs from damaging your system.

Firewalls

A firewall protects your computer by examining each information packet that travels over the network. Clues to a packet’s purpose can be read from its destination address. Firewalls contain a list of allowed and disallowed destinations and functions. If a packet is heading for a forbidden address or comes from one, the firewall stops it. If a packet is heading for a valid address, but its port identifier (the clue to packet function) is unknown or disallowed, the firewall stops that packet as well. Advanced firewalls even keep track of outgoing packets, and open up only if a packet is expected and returning.

The role of a packet in stopping the prevention of active threats such as worms and viruses is that these pests often attempt to enter a computer using forbidden paths, such as port numbers that are unmonitored or unusual. The firewall examines each packet, and it quashes those that are unexpected or disallowed.

Antivirus

Virus protection software uses two main techniques. The first uses signatures, which are snapshots of the code patterns of the virus. The antivirus program lurks in the background watching files come and go until it detects a pattern that aligns with one of its stored signatures, and then it sounds the alarm and maybe isolates or quarantines the code. Alternatively, the virus protection program can go looking for trouble. It can periodically scan the various disks and memories of the computer, detecting and reporting suspicious code segments, and placing them in quarantine.

One problem with signature-based virus protection programs is that they require a constant flow of new signatures in response to evolving attacks. Their publishers stay alert for new viruses, determine the signatures, and then make them available as updated virus definition tables to their users. To access the new tables, users typically download them from the World Wide Web.

Of course, as the number of viruses increases (and it shows no signs of abating), the tables get progressively larger, making frequent updates somewhat of a chore. This is particularly a problem in the case of memory-limited devices such as palm-top computers or intelligent cell phones.

Another problem is called the Zero Day problem. Basically, this occurs when a user trips over a new virus before the publisher discovers it and can issue an updated signature.

A third problem is that, just as with biological pathogens, viruses can mutate. Sometimes this happens accidentally; other times, it happens because a clever programmer uses file compression software to change the signature of the virus when it is not active or even gives it the ability to be self-garbling. This means it can change its own form by introducing extra statements or adding random numbers, to elude signature detection. (A similar technique is sometimes used by bulk emailers to elude subject line scanners.)

To counter these worries, virus protection publishers are adding what is called heuristic detection features to their wares. Basically, a heuristic is a rule or behavior. If a virus exhibits that behavior, the antivirus software tries to stop it in the act. For instance, a code snippet that suddenly accesses a critical operating system area or file, such as a file table definition sector on a hard drive, is likely up to no good, and should be stopped. Other risk indicators include unexplained changes in file size, particularly in system files, sudden decreases in available hard disk space, or changes in file time or date stamps.

The Virus Hype

Unfortunately, a backlash has recently started against virus alarmists. Like those who too many times cry “wolf” when there is no wolf and so must face danger alone when a wolf actually appears, those who trumpet the dangers of viruses often find the public to be increasingly apathetic when new attacks are discovered. The issue is not helped by an industry that is faintly tainted. Many journalists have noticed that often those who raise loudest the warning cry are owners of companies that publish virus protection software. It makes sense to scare the public into buying protection, but the practice may have questionable ethics.

Almost as troublesome are those who pass on emails that contain warnings of viruses to everybody in their address lists. Often these users are somewhat new to computers. Fearful of losing or damaging their own investments, they wish to spare their friends from calamity. The result is a big stream of well-intentioned junk email, often followed by a chagrined stream of “oops” emails, once they become aware of their apparent naiveté.

The result is that fear of viruses can often be as devastating as the viruses themselves. Not to say that viruses do not wreak havoc. Any administrator who has followed up on the results of a really wicked one, such as the Majester virus that has infected law firms, can tell stories about computers that were crippled beyond recovery. This means that failure to install at least some form of antivirus protection is simply negligent. However, it must be part of a balanced program that includes user education, regular backups, normal security precautions, and intrusion detection software or hardware.

An Ounce of Prevention

A final issue, and perhaps the most important one, is to determine why viruses spread in the first place. These days, software manufacturers are alert to the threat of security holes. Hordes of hackers regularly test network defenses or code vulnerabilities. When a hole is found, in most cases a warning is raised before an exploit is published. Manufacturers scramble to produce small updates, or patches, that improve the affected code and eliminate the vulnerability. It is a sad statement that today many attacks come days or months after a manufacturer learns of a problem and posts a cure.

In short, most people who have virus problems have them because they have not availed themselves of available protections. In most cases, all that would have been needed to prevent a disruption is to have obtained virus protection software. This can be done either by purchasing a commercial product, by downloading a free product from the Web, or by periodically logging on to a web-based scanning service. Also, make sure to keep your virus definition tables updated, and install patches and security updates on operating systems and applications as required.

Do this, and the virus problems that make headlines will for the most part pass you by. To some, the cure must seem worse than the disease. The phenomenon roughly parallels that of smoking, which even some tobacco manufacturers now acknowledge has adverse effects. To some, the risks seem acceptable—until the consequence arrives.

Summary

The worms, viruses, and other wildlife that exist in computers and networks are the descendants of early experiments with autonomous or symbiotic programs. Once unleashed into the wild, these rogue programs can multiply freely. They enter networks from the outside—that is, from connected networks or the Internet—and they enter networks from the inside—that is, from computers and media that users bring from home. Most viruses are nearly harmless. They deprive the network of little more than computer processing time and communications bandwidth, of which there is usually plenty. These viruses exist as a chance for programmers to demonstrate their skills. Others can be devastating, crippling computers, robbing network owners of massive amounts of bandwidth, stealing secrets, defeating security, corrupting data or holding it hostage, even taking down entire systems. These extreme examples demonstrate how creating and propagating viruses and worms can be criminal, even terroristic, in scope.

Effective computer security policies and practices can do much to eliminate the spread of viruses and worms. In the end, however, nothing can do more to stop the spread of pathogenic programs than educating and training users in virus prevention.



[14] Eugene H. Spafford, “The Internet Worm Program: An Analysis,” Purdue Technical Report CSD-TR-823, West Lafayette (IN), November 29, 1988.

[15] These stories were later combined and expanded into the book When Harlie Was One, Ballantine Books, First Edition, New York (NY), 1972). In later editions of the book, the virus plot was removed.

[16] Kenneth Thompson, “Reflections on Trusting Trust,” Communications of the ACM, Volume 27, Number 8, August 1984.

[17] Fred Cohen, “Computer Viruses: Theory and Experiments, Computers and Security,” Volume 6, Number 1, 1987 (first presented at 1984 meeting of IFIP Technical Committee 11 on Security and Protection in Information Systems).

[18] For a full taxonomy, see Eugene H. Spafford, Kathleen A. Heaphy, and David Ferbrache, Computer Viruses: Dealing with Electronic Vandalism and Programmed Threats, ADAPSO, Arlington (VA), 1989. (Order from ADAPSO: (703) 522-5055.)

[19] John Brunner, Shockwave Rider, Ballantine, New York (NY), 1975.

[20] John F. Shoch and Jon A. Hupp, “The Worm Programs—Early Experience with a Distributed Computation,” Communications of the ACM, Volume 25, Number 3, pp. 172-180, March 1982. (An earlier version was presented at the Workshop for Fundamental Issues in Distributed Computing, ACM/SIGOPS and ACM/SIGPLAN, December 1980.)

[21] Morrie Gasser, Building a Secure Computer System, New York (NY), Van Nostrand Reinhold, 1988. Also, Donn B. Parker, “The Trojan Horse Virus and Other Crimoids,” in Denning, Peter J., ed., Computers Under Attack: Intruders, Worms, and Viruses, ACM Press, Addison Wesley, Reading (MA), 1990.

[22] Dennis M. Ritchie, “On the Security of UNIX”, UNIX System Manager’s Manual (SMM), 4.3 Berkeley Software Distribution, University of California, Berkeley (CA), 1986.

[23] A.K. Dewdney, “A Core War Bestiary of Viruses, Worms, and Other Threats to Computer Memories,” Scientific American, Volume 252, Number 3, pp. 14-23, March 1985.

Get Computer Security Basics, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.